Introduction to OpenBSD Networking

06/13/2000

In today's Internet-centric computing world, networking components are a paramount feature of any system worth its salt. Easily falling into that category, OpenBSD contains strong network code and configuration interfaces which, with a little research and learning, can be put to powerful use. This series of articles aims to illustrate that with practical examples and direct application to real-world situations.

In contrast to its sysv counterparts like Linux, OpenBSD has a very different way of controlling network interfaces and setting parameters. Other competing systems commonly use menu-based or graphical configuration utilities to make the administrator's life easier. OpenBSD chooses to stray from this, instead focusing their efforts on the functionality and correctness of its networking components. The example being used here is the setup of a gateway machine with one PPP interface and one Ethernet interface.

Interface control

The first thing you'll want to do when configuring an OpenBSD machine to participate on a network is set basic parameters on the network interfaces. First, using an Ethernet interface (in this case a Sun workstation) called le0:

# ifconfig le0 192.168.0.1 up netmask 255.255.255.0

A breakdown of this syntax:

ifconfig - Interface Config utility

le0 - The network interface in question

192.168.0.1 - The interface's IP address

up - Whether to raise the interface (up) or drop it (down)

netmask 255.255.255.0 - The interface's netmask

To display the results of this, issue the command:

# ifconfig -a

This will display all network interface configuration/status information.

Once interface parameters have been set, the system stores them
automatically. Some other parameters such as static default routes and
interface IP addresses can be stored in /etc/mygate and
/etc/hostname.interface respictively in a simple format:

Althought ifconfig is the primary tool for interface control and
manipulation, checking status is more commonly done using netstat
(Network Statistics Utility). Simply running the command:

# netstat

will produce a list of active TCP connections. Running the command:

# netstat -i

will provide a slightly more usable listing of interface
information, which will look roughly like:

This shows the network statistics both for the overall interface and with openbsd.org, with which it has been in frequent communication. It is interesting to note that this method of configuration and network diagnostics differs only very slightly from that of Linux and other systems, but their users will primarily set this information using linuxconf, YaST, or other point-and-click tools.

WAN interface control

As a truly Internetworked operating system, OpenBSD has the
functionality to control your network's WAN interface(s) and act as a
router. However, support for things like frame relay and DDS is nonexistent and ISDN support is very limited. The majority of people
using OpenBSD on a WAN implement PPP over an analogue modem.
OpenBSD has stepped up from using the raw
pppd (Point to Point Protocol Daemon) to control PPP, having developed
a userland interface called simply ppp. The ppp utility is controlled
by the file /etc/ppp/ppp.conf. Some examples:

With this configuration in place, invoking ppp to dial is as simple as running:

# ppp -ddial myisp

Routing

The final stage in setting up a machine to act as a small network
gateway is to implement the routing. Most commonly in this situation
you would have internal addresses on the inside of the gateway and use
network address translation (NAT) to perform the gatewaying. This will be discussed in a later
installment; here we only cover basic routing.
OpenBSD uses the standard Unix routing tool route. Syntax differs
slightly from other systems, but the premise remains the same. To
print your existing routing table, issue the command:

# route -n show

The -n flag tells route not to try to perform any hostname lookups
and to use IP addresses only, with show telling it to print the routing
table. The output for this example should look roughly like:

The first line shows the default gateway (the other end of the PPP
link) as being 203.25.128.33. The second line is for the internal
address range of 192.168.0.1 to go through link#1 (le0). The third
line is for 192.168.0.5, a frequently used workstation. In this case,
our OpenBSD machine has mapped the MAC address of the workstation
directly for faster routing. Let us assume we want to add the address
range of 192.168.1.* to the network. The 192.168.0.* and 192.168.1.*
machines do not need to talk to each other, but they both need to talk
to the server. They are all physically cabled on the same
network. First, you would add a virtual interface so that le0 had both
the addresses 192.168.0.1 and 192.168.1.1. This is done by editing
/etc/ifaliases to contain the line:

le0 192.168.1.1 255.255.255.0

Secondly, add the route for the 192.168.1.1 range by issuing the
command:

# route add 192.168.1.0 192.168.1.1

A simple breakdown of this command:

route - route utility

add - add a route to the table

192.168.1.0 - target address range

192.168.1.1 - IP to use as a gateway (in this case, a local one)

This all in place, you should have a nice secure OpenBSD gateway to the Internet. The majority of people are using Linux FreeBSD and Windows NT for this kind of application, but, as has been demonstrated, it's not difficult to produce a gateway using OpenBSD that will run on nearly any hardware and provide superior security and unprecedented reliability.

David Jorm
has been involved with open source and security projects for several years, originally with OpenBSD and Debian GNU/Linux, now with the development team at wiretapped.net.